reconsidering default exit policy
Valient Gough
vgough at pobox.com
Fri Mar 11 10:02:44 UTC 2005
Geoffrey Goodell wrote:
># reject private networks (no surprises!) My understanding is that you
># might want to eliminate the 127.0.0.0/8 line if your kernel
># short-circuits connections to local services and if you want those
># services to be available to Tor users who happen to choose your Tor
># node as an exit... someone please correct me if this is wrong.
>
>ExitPolicy reject 0.0.0.0/255.0.0.0:*
>ExitPolicy reject 127.0.0.0/255.0.0.0:*
>ExitPolicy reject 10.0.0.0/255.0.0.0:*
>ExitPolicy reject 172.16.0.0/255.240.0.0:*
>ExitPolicy reject 192.168.0.0/255.255.0.0:*
>ExitPolicy reject 169.254.0.0/255.255.0.0:*
>
># reject ports officially used for protocols that were never meant to be
># anonymous (e.g. email, usenet) because of the spam risk, thus reducing
># our worry that the world would associate Tor with pro-spam advocacy.
>
>ExitPolicy reject *:25
>ExitPolicy reject *:119
>
>
Speaking of usenet, several people on this list (including me) have had
problems with their server being blacklisted because someone used tor to
abuse usenet via google. It might be nice for new tor operators if that
was blocked by default.
Also, is the list of private networks above exhaustive? I took my list
of networks to block from my firewall list (from firehol.sourceforge.net):
# IANA Reserved IPv4 address space
# Suggested by Fco.Felix Belmonte <ffelix at gescosoft.com>
# Optimized (CIDR) by Marc 'HE' Brockschmidt <marc at marcbrockschmidt.de>
# Further optimized and reduced by http://www.vergenet.net/linux/aggregate/
# The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.
RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8
27.0.0.0/8 31.0
.0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7
76.0.0.
0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7
176.0.0.
0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4"
# Private IPv4 address space
# Suggested by Fco.Felix Belmonte <ffelix at gescosoft.com>
# Revised by me according to RFC 3330. Explanation:
# 10.0.0.0/8 => RFC 1918: IANA Private Use
# 169.254.0.0/16 => Link Local
# 192.0.2.0/24 => Test Net
# 192.88.99.0/24 => RFC 3068: 6to4 anycast & RFC 2544: Benchmarking
addresses
# 192.168.0.0/16 => RFC 1918: Private use
PRIVATE_IPS="10.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24
192.88.99.0/24
192.168.0.0/16"
regards,
Valient
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20050311/6a3e5c4e/attachment.pgp>
More information about the tor-talk
mailing list